The present invention is generally directed to a context-aware delegation engine. In particular, the context-aware delegation engine of the present invention can enable an account owner (or delegator) to control the delegation of access to his or her content at a granular level.
Delegation of access is a common feature in many personal information managers (i.e., software applications that provide access to one's emails, calendar items, contacts, files etc.). For example, Microsoft Outlook provides a “Delegate Access” feature by which the account owner can grant certain types of permissions to another user including permission to read, create, and/or modify emails, calendar items, tasks, etc.
When the account owner delegates access to another user (referred to as a “delegate”), the delegate can access the account owner's folders in much the same way that the delegate accesses his or her own folders. For example, if the account owner grants full permissions to a delegate within the account owner's inbox, the delegate will be able to read and modify any items stored within the inbox (including sub-folders) as well as send new emails on behalf of the account owner. Similarly, even if the account owner only grants read access to the delegate, the delegate will still be able to view any email or other content stored within the account owner's inbox.
A number of access control systems (or authorization architectures) exist for controlling a user's access to particular content. For example, XACML, which is an example of an Attribute Based Access Control (ABAC) system, has become a standard for access control systems. A XACML system is a “decoupled” system designed to separate the decision point from the point of use. Other authorization architectures such as SAML, OAuth 2.0, and OpenID are similarly decoupled.
FIG. 1 provides a general illustration of the XACML architecture and serves to illustrate the general structure of an authorization architecture within which the present invention could be implemented. As shown, a policy enforcement point 102a acts as a “gateway” between a user computing device 101 and a document 100 that the user would like to access. Accordingly, whenever the user submits a request to access document 100, policy enforcement point 102a will intercept the request and communicate with policy decision point 102b to determine whether the request should be allowed. Policy decision point 102b is configured to access policy retrieval point 102d to obtain a policy applicable to document 100 and evaluate it to determine whether the request should be granted. A policy administration point 102e can be employed to define and store these policies in policy retrieval point 102d. 
In some cases, the policy and request alone may not provide sufficient information to make a determination. In such cases, policy decision point 102b can request that policy information point 102c provide the necessary information. Although not shown, policy information point 102c can be coupled to a number of services (e.g., Active Directory) which can provide the necessary information. Once it has evaluated the request against the policy, policy decision point 102b can instruct policy enforcement point 102a to either allow or deny the request.
It is important to note that this access control process is employed when the user makes a direct request to access content. In other words, a first user's attempt to access a particular document will be evaluated by applying the first user's attributes to the applicable policy. However, in the context of delegation, the access control process is not invoked in this manner. For example, if an account owner delegates access to his inbox to the first user, the first user will be able to read all emails in the inbox even if a policy would have otherwise prevented the first user from directly accessing the emails. In other words, as a delegate of the account owner, the first user will be able to access the inbox as if he or she were the account owner (subject to any permissions specified by the account owner).